b'                                                       SENSITIVE BUT UNCLASSIFIED\n\n\n                                                United States Department of State\n\n                                             and the Broadcasting Board of Governors\n\n                                                    Office of Inspector General\n\nOffice of Inspector General\n\n\n                                                         Office of Audits\n\n\n\n                                   Evaluation of the United States Section,\n\n                               International Boundary and Water Commission,\n\n                                        Information Security Program\n\n\n                                            Report Number AUD/IT-12-16, November 2011\n\n\n\n\n                                                                 Important Notice\n\n                                This report is intended solely for the official use of the Department of State of the\n                                Broadcasting Board of Governors, or any agency or organization receiving a copy\n                                directly from the Office of Inspector General. No secondary distribution may be\n                                made, in whole or in part, outside the Department of State or the Broadcasting Board\n                                of Governors, by them or by other agencies of organizations, without prior\n                                authorization by the Inspector General. Public availability of the document will be\n                                determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552. Improper\n                                disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n                                                      SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                                                UniteJ States Department of State\n                                                                and the Broadcasting Board of Governors\n\n                                                                Office of Inspector General\n\n\n\n\n                                              PREFACE\n\n        This report is being transmitted pursuant to the lnspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n      In accordance with the Federal Information Security Management Act 0[2002 (FISMA),\nDIG performed a review of the United States Section, lnternational Boundary and Water\nCommission Information Security Program for FY 2011 . The report is based on interviews with\nemployees and officials of the United States Section, International Boundary and Water\nCommission headquarters and field offices, direct observation, and a review of applicable\ndocuments.\n\n        OIG identified areas in which improvements could be made, including the system\n inventory, risk management program, configuration management, security awareness and role\xc2\xb7\n based           plans of actions and milestones, remote access, continuous monitoring,\n                        ov\'en,ight of contractor         security capital planning,_\n(b) (5)\n\n        The recommendations contained in the report were developed on the basis of the best\n knowledge available and were discussed in draft fonn with those individuals responsible for\n implementation. OIG\'s analysis of management\'s response to the recommendations has been\n incorporated into the report. OIG trusts that this report will result in more effective, efficient,\n andlor economical operations.\n\n         I express my appreciation to all of the individuals who contributed to the preparation of\n this report.\n\n\n\n\n                                        Harold W. Geisel \n\n                                        Deputy Inspector General \n\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nAcronyms\nCM         configuration management\nCOOP       Continuity of Operations\nFISMA      Federal Information Security Management Act\nGSS        General Support System\nIBWC       United States Section, International Boundary and Water Commission\nIMD        Information Management Division\nIT         information technology\nNIST       National Institute of Standards and Technology\nOIG        Office of Inspector General\nOMB        Office of Management and Budget\nPOA&M      Plan of Action and Milestones\n\nSP         Special Publication\nSSP        system security plan\n\n\n\n\n                         SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                       Table of Contents\n\n\n\nExecutive Summary .........................................................................................................................1 \n\n\nBackground\xe2\x80\xa6. .................................................................................................................................4\n\nResults of Evaluation .......................................................................................................................6\n       A. System Inventory ...........................................................................................................6\n       B. Risk Management Program ............................................................................................7\n       C. Configuration Management............................................................................................9\n       D. Security Training..........................................................................................................10\n       E. Plan of Action and Milestones .....................................................................................12\n       F. Remote Access..............................................................................................................13 \n\n       G. Continuous Monitoring ................................................................................................14 \n\n       H. Contingency Planning ..................................................................................................17 \n\n       I. Oversight of Contractor System ...................................................................................19 \n\n       J. Security Capital Planning .............................................................................................20 \n\n                                    .......................................................................................................21 \n\n                                                                   ........................................................................22 \n\n\nList of Recommendations ..............................................................................................................25 \n\n\nAppendices\n      A. Objectives, Scope, and Methodology ...........................................................................28 \n\n      B. Followup of Recommendations From the FY2010 Federal Information Security\n\n      Management Act Report ....................................................................................................29 \n\n          (b) (5)\n                             (b) (6) (b) (6)       ............................................................................................... 30 \n\n          (b) (5)\n                              ..............................................................................................................34 \n\n           E. International Boundary and Water Commission Response ...........................................39 \n\n\nMajor Contributors to This Report ................................................................................................49 \n\n\n\n\n\n                                           SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                      SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                          Executive Summary\n\n        In accordance with the Federal Information Security Management Act (FISMA) of\n2002, 1 the Department of State, Office of Inspector General (OIG), performed an independent\nevaluation of the United States Section, International Boundary and Water Commission (IBWC),\ninformation security program and practices to determine compliance with Federal laws,\nregulations, and standards established by FISMA, the Office of Management and Budget\n(OMB), and the National Institute of Standards and Technology (NIST). Additionally, the\nresults are designed to assist OIG in providing responses to OMB Memorandum M-11-33, FY\n2011 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management, dated September 14, 2011.\n\n        OIG reviewed remedial actions taken by IBWC to address the FY 2010 reported FISMA\ncontrol weaknesses identified in the independent public accounting firm\xe2\x80\x99s FY 2010 report Audit\nof the International Boundary and Water Commission Federal Information Security\nManagement Act. The statuses of the recommendations from the FY 2010 report are presented\nin Appendix B.\n\n        Overall, OIG found that IBWC had implemented an information security program but\nidentified weaknesses that, if exploited, could significantly impact the information security\nprogram controls and expose IBWC to security breaches. The weakened security controls could\nadversely affect the confidentiality, integrity, and availability of IBWC information and\ninformation systems. To improve the information security program and to bring the program\ninto compliance with FISMA, OMB, and NIST requirements, IBWC needs to address the control\nweaknesses identified.\n\n       A. System Inventory\n\n           IBWC has not implemented a process or procedure to update and manage its information\n           technology (IT) assets. Although IBWC performed an inventory of its hardware and\n           systems during FY 2011, it did not fully account for all assets. Without a process to\n           properly identify, document, and maintain an inventory of systems, IBWC may not have\n           an accurate accounting of all IT assets and related system interfaces and underlying\n           support systems.\n\n       B. Risk Management Program\n\n           IBWC\xe2\x80\x99s risk management program for information security needs improvement at the\n           organization and system levels. At the organizational level, IBWC had not implemented\n           a risk management framework and information security policies and procedures that\n           describe the roles and responsibilities of key participants. In addition, there is no\n           governance structure in place to address risk within IBWC. Further, IBWC had not\n\n\n\n1\n    Pub. L. No. 107-347, title III.\n\n                                                  1\n\n                                      SENSITIVE BUT UNCLASSIFIED\n\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n        developed an IT strategic plan or enterprise architecture that shows the IT goals for the\n        organization or links the strategic goals and objectives to the defined business functions.\n\n        At the system level, IBWC had not completed security assessment and authorization\n        (formerly certification and accreditation) of its Supervisory Control and Data Acquisition\n        (SCADA) systems. IBWC was not aware of the requirements to complete the security\n        assessment and authorization process for the SCADA systems. OIG found that only one\n        of two systems was certified and accredited by year end. Additionally, the security\n        authorization package for the general support system (GSS) was not reassessed after a\n        significant change. These conditions weaken IBWC\xe2\x80\x99s risk management framework to\n        assess, respond to, and monitor information security risk.\n\n     C. Configuration Management\n\n        IBWC had not implemented an effective patch management process to evaluate patches\n        for applicability, process of installation, monitoring, and periodic review of the patch\n        statuses on the systems. Without detailed procedures that govern the performance of the\n        configuration management processes, IBWC may not be able to manage effectively the\n        IT security program, which may lead to the introduction of security weaknesses and\n        inconsistent performance.\n\n     D. Security Training\n\n        Although the IBWC security awareness training program requires all personnel to\n        complete annual security awareness training and users with significant security\n        responsibilities to complete specialized training, OIG found that IBWC employees had\n        not completed their general security awareness training and employees who have\n        significant security responsibilities had not completed their specialized training.\n\n     E. Plan of Action and Milestones\n\n        IBWC had not effectively implemented a Plan of Action and Milestones (POA&M)\n        process. OIG found that IBWC\xe2\x80\x99s POA&M policy and procedures had not been formally\n        adopted by management. In addition, IBWC\xe2\x80\x99s POA&Ms did not identify the estimated\n        resource requirements and corrective action plans to close the POA&M deficiencies.\n\n     F. Remote Access\n\n        IBWC had not developed and implemented a remote access policy and procedure to\n        comply with NIST requirements. Without proper policies and procedures, individuals\n        may introduce vulnerabilities into the IBWC network.\n\nG.      Continuous Monitoring\n\n        IBWC had not developed a means to implement continuous monitoring of its IT systems.\n        Specifically, IBWC had not performed routine security assessments of its systems or\n        periodic vulnerability scans. Without periodic reviews or the performance of risk-based\n\n                                                 2\n\n                              SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n               security assessments, new threats and vulnerabilities may not be identified and mitigated\n               in a timely manner.\n\n          H. Contingency Planning\n\n               IBWC\xe2\x80\x99s Continuity of Operations (COOP) does not comply with NIST Special\n               Publication (SP) 800-34. 2 OIG found that the COOP for IBWC\xe2\x80\x99s GSS had not been\n               updated or tested after a significant change. Lack of an updated contingency plan may\n               prevent IBWC from accessing critical information and resources and resuming business\n               functions in case of an extended outage and/or disaster.\n\n          I. Oversight of Contractor System\n\n               IBWC had not implemented an effective oversight program of its contractor system. OIG\n               found that IBWC officials did not have adequate control over the IT functions at the San\n               Diego (CA) waste treatment plant. In addition, IT assets are purchased and maintained\n               by the contractor in support of the operations in San Diego without IBWC Information\n               Management Division (IMD) review and approval.\n\n          J. Security Capital Planning\n\n               Information security is not integrated into IBWC\xe2\x80\x99s Capital Planning and Investment\n               Control process. IBWC did not provide OMB with a detailed explanation for the major\n               investment related to its IT assets. Inadequate planning increases the risk that requests\n               for funding investments will not receive proper consideration.\n     (b) (5)\n\n\n\n\n(b) (5)\n\n\n                                                        3\n\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n        OIG made 21 recommendations, including the three recommendations included in OIG\xe2\x80\x99s\nAugust 26, 2011, Outline for Action that pertained to personnel security and physical and\nenvironmental protection (Findings K and L, respectively). The other significant security\ndeficiencies requiring immediate attention are in the risk management program (Finding B),\nsecurity configuration management (Finding C), plans of action and milestones (Finding E),\ncontinuous monitoring (Finding G), and oversight of the contractor system (Finding I).\n\n       IBWC concurred with all the recommendations. Based on the information provided, OIG\nconsiders all 21 recommendations resolved, pending further action. IBWC\xe2\x80\x99s responses and\nOIG\xe2\x80\x99s replies are presented after each recommendation.\n\n                                                 Background\n        IBWC is an international organization created in 1889 by the Governments of the United\nStates and Mexico to administer the boundary and water rights treaties and agreements between\nthe two countries.\n\n         The entity was created as the International Boundary Commission by the Convention of\n1889 and given its current name under the Treaty of 1944. 4 IBWC consists of the United States\n      3\n\nSection and the Mexican Section, which have their headquarters in the adjoining cities of El Paso\nand Ciudad Ju\xc3\xa1rez, Chihuahua, respectively. Although IBWC is an independent international\nentity, the United States Section takes direction from the Department of State on matters related\nto foreign policy. The Mexican Section is a unit in the Mexican Ministry of Foreign Affairs.\n\n        IBWC is charged through a series of treaties and agreements with the application,\nregulation, and exercise of the provisions of such treaties and agreements for the solution of\nwater and boundary issues along the 1,954-mile border between the two countries. The United\nStates Section of IBWC operates under the provisions of 22 U.S.C. 277. 5 The mission of the\nUnited States Section working jointly with the Mexican Section is as follows:\n\n    \xe2\x80\xa2\t Distribute the waters of the boundary rivers between the two countries.\n    \xe2\x80\xa2\t Operate international flood control along the boundary rivers.\n    \xe2\x80\xa2\t Operate the international reservoirs for conservation and regulation of Rio Grande waters\n       for the two countries.\n\n3\n  The Convention of 1889 was to avoid the difficulties occasioned by reason of the changes that take place in the \n\nbeds of the Rio Grande and Colorado River, U.S.-Mex., March 1, 1889, 26 Stat. 1512 (extended indefinitely by\n\nArticle two of treaty signed Feb. 3, 1944.) (59 Stat. 1219)).\n\n4\n  Treaty of 1944 relates to utilization of waters of the Colorado and Tijuana Rivers and of the Rio Grande, and\n\nsupplementary protocol, U.S.-Mexico, Feb. 3, 1944. (59 Stat. 1219).\n\n5\n  22 U.S.C. \xc2\xa7 277, \xe2\x80\x9cInternational Boundary Commission, United States and Mexico; study of boundary waters.\xe2\x80\x9d\n\n\n                                                          4\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n\n    \xe2\x80\xa2\t   Improve the quality of water of international rivers.\n    \xe2\x80\xa2\t   Resolve border sanitation issues.\n    \xe2\x80\xa2\t   Develop hydroelectric power.\n    \xe2\x80\xa2\t   Establish the boundary in the area l imitrophe to (bordering) the Rio Grande.\n    \xe2\x80\xa2\t   Demarcate the land boundary.\n\n    The Federal Information Security Management Act of 2002 (FISMA) was enacted into law\nas Title III, Public Law Number 107-347 on December 17, 2002. Key requirements of FISMA\nare as follows:\n\n    \xe2\x80\xa2\t The establishment of an agency-wide information security program to provide\n       information security for the information and information systems that support the\n       operations and assets of the agency, including those provided or managed by another\n       agency, contractor, or other source.\n    \xe2\x80\xa2\t An annual independent evaluation of the agency\xe2\x80\x99s information security programs and\n       practices.\n    \xe2\x80\xa2\t An assessment of compliance with FISMA requirements.\n\n        FISMA recognized the importance of information security to the economic and national\nsecurity interests of the United States. FISMA requires each Federal agency to develop,\ndocument, and implement an agency-wide program to provide information security for the\ninformation systems that support the operations and assets of the agency, including information\nand information systems provided or managed by another agency, contractor, or source. FISMA\nprovides a comprehensive framework for establishing and ensuring the effectiveness of\nmanagement, operational, and technical controls over IT that supports Federal operations and\nassets, and it provides a mechanism for improved oversight of Federal agency information\nsecurity programs.\n\n        FISMA assigns specific responsibilities to Federal agencies, NIST, OMB, and the\nDepartment of Homeland Security (DHS) to strengthen information system security. In\nparticular, FISMA requires the head of each agency to implement policies and procedures to cost\neffectively reduce IT security risks to an acceptable level. To ensure the adequacy and\neffectiveness of information system controls, FISMA requires agency program officials, chief\ninformation officers, chief information security officers, senior agency officials for privacy, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security program and\nreport the results to DHS.\n\n       On an annual basis, OMB provides guidance with reporting categories and questions for\nmeeting the current year\xe2\x80\x99s reporting requirements. 6 OMB uses this data to assist in its oversight\nresponsibilities and to prepare its annual report to Congress on agency compliance with FISMA.\n\n\n\n\n6\n OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, dated Sept. 14, 2011.\n\n                                                   5\n\n                               SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n\n                                      Results of Evaluation\n        Overall, OIG found that IBWC had implemented an information security program;\nhowever, OIG identified weaknesses that, if exploited, could significantly impact the information\nsecurity program controls and expose IBWC to security breaches. The weakened security\ncontrols could also adversely affect the confidentiality, integrity, and availability of information\nand information systems. To improve the information security program and to bring the program\ninto compliance with FISMA, OMB, and NIST requirements, IBWC needs to address the control\nweaknesses described.\n\nA. System Inventory\n        IBWC had not implemented an inventory management process and procedures to update\nand manage its IT assets. Although IBWC performed an inventory of its hardware and systems\nduring FY 2011, it did not fully account for all assets. OIG found that the IBWC inventory listed\nonly components associated with the GSS and did not include all IT assets. Specifically, OIG\nidentified components in the server room and in the wiring rooms of the first and third floors at\nthe headquarters in El Paso, and at the San Diego field office, that were not recorded in the\ninventory. In addition, the listing did not include the SCADA systems operated at the IBWC\nfield offices in San Diego and at Falcon and Amistad (TX). 7\n\n        FISMA requires the heads of each agency to develop and maintain an inventory of major\ninformation systems operated by or under the agency\xe2\x80\x99s control and to identify information\nsystems in an inventory, to include identifying the interfaces between each system and other\nsystems or networks and including those information systems not operated by or under the\ncontrol of the agency. FISMA further requires the inventory to be updated at least annually and\nto be used to support information resources management.\n\n       Without a system inventory management process for all IT assets, including the SCADA\nsystems, IBWC will not have an accurate accounting of all related system interfaces or\nunderlying support systems and will not be able to properly identify and mitigate security risks.\nAs a result, critical management processes such as strategic planning, budgeting, system\nadministration, and resource management may be adversely affected.\n\n        Recommendation 1. OIG recommends that the Chief Information Officer ensure that all\n        assets are accounted for in the inventory system and develop a process that updates, not\n        less than annually, the International Boundary and Water Commission\xe2\x80\x99s (IBWC) system\n        inventory when changes are made to those information systems operated by or under the\n        control of IBWC or by third-party contractors or agencies on behalf of IBWC, as required\n        by the Federal Information Security Management Act.\n\n\n\n\n7\n The SCADA system in San Diego is contractor owned and operated. The SCADA systems in Falcon and Amistad\nare owned and operated by IBWC. OIG performed fieldwork at the office in San Diego.\n\n                                                   6\n\n                               SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n        Management Response: IBWC concurred with the recommendation, stating that IMD\n        \xe2\x80\x9chas initiated the development of its own IT asset inventory, in addition to the one\n        maintained \xe2\x80\x9c in the Department\xe2\x80\x99s ILMS, \xe2\x80\x9cin order to accurately account for all IT assets\n        that make up the [GSS] and existing SCADA systems identified\xe2\x80\x9d in San Diego, Nogales\n        (AZ), Amistad, and Falcon.\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        implemented a process to accurately account for all IT assets in the inventory system.\n\nB.\t Risk Management Program\n        IBWC\xe2\x80\x99s risk management program for information security needs improvement at the\norganization and system levels. At the organizational and system level, IBWC had not\nimplemented a risk management framework and information security policies and procedures\nthat describe the roles and responsibilities of key participants. As such, OIG could not review\nthe risk management framework and determine how IBWC manages information security risk.\n\n       In addition, IBWC did not have a governance structure in place to address risk within the\norganization and had not developed an IT strategic plan or enterprise architecture that shows the\nIT goals for the organization or links the strategic goals and objectives to the defined business\nfunctions. Further, because the risk management strategy had not been implemented at the\norganizational level, communication of operations at the system level are negatively affected,\nalong with business decisions such as funding allocation, because management was not fully\naware of the security vulnerabilities that exist.\n\n       At the information system level, OIG found deficiencies in the security assessment and\nauthorization (formerly certification and accreditation) documentation as follows:\n\n    \xe2\x80\xa2\t For the SCADA systems, IBWC had not completed the security assessment and\n       authorization package, as required by NIST SP 800-82 8 and NIST SP 800-53, Revision\n       3. 9\n    \xe2\x80\xa2\t For the GSS SSP, only one of two systems had been assessed and authorized by year end.\n       The CIO certified the GSS SSP in April 2007. However, several changes have been\n       made to the GSS since that time, including a change to the designated approving\n       authority, the addition of a COOP site, and a change to the transportation mode for\n       information.\n    \xe2\x80\xa2\t For the GSS SSP, which documents security controls for the system, the security baseline\n       controls were not documented in compliance with NIST SP 800-53, Revision 3, and the\n       security assessment report supporting the independent assessor\xe2\x80\x99s evaluation of\n       management, operational, and technical controls was outdated. IBWC also did not\n       review and document test results of annual subset assessments.\n\n8\n  NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security,\xe2\x80\x9d June 2011.\n\n9\n  NIST SP 800-53, rev. 3, Recommended Security Controls for Information Systems and Organizations, Aug. 2009\n\n(last updated May 2010).\n\n\n                                                      7\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n     \xe2\x80\xa2\t For the authority to operate, which proves that an authorizing official has accepted the\n        identified risk, OIG found that the GSS did not have a full security assessment and\n        authorization performed after significant changes had been made to the network\n        environment. In addition, the GSS authority to operate was not valid because of a change\n        in the designated approving authority.\n\n       IBWC did not properly follow guidelines contained in NIST SP 800-37, Revision 1, 10 for\nproperly managing the documentation in the security assessment and authorization packages. An\nIBWC official stated that IBWC was unaware of the requirement to complete the security\nassessments and authorization packages for the SCADA systems and the requirement to update\nthe GSS SSP after significant changes were made. These conditions weaken IBWC\xe2\x80\x99s risk\nmanagement framework to assess, respond to, and monitor information security risk.\n\n        Recommendation 2: OIG recommends that the Chief Information Officer improve the\n        risk management strategy at the organizational level for assessing, responding to, and\n        monitoring information security risk, as required in National Institute of Standards and\n        Technology Special Publication 800-37, Revision 1.\n\n        Management Response: IBWC concurred with the recommendation, stating that the\n        CIO \xe2\x80\x9chas initiated steps necessary to bring about an effective risk management\n        framework and policies and procedures in accordance with NIST SP 800-37 Revision 1.\xe2\x80\x9d\n        IBWC also stated that the IMD \xe2\x80\x9chas begun updating the existing System Security Plan to\n        include all current security baseline controls, changes in the GSS and identified SCADA\n        systems.\xe2\x80\x9d In addition, according to IBWC, the IMD \xe2\x80\x9cwill prepare a new security\n        assessment and authorization package to apply for and achieve an Authority to Operate\n        designation from the new Designated Authority in FY12.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        implemented a risk management strategy at the organizational level for assessing,\n        responding to, and monitoring information security risk.\n\n        Recommendation 3. OIG recommends that the Chief Information Officer:\n           \xe2\x80\xa2\t Develop the security assessment and authorization packages for the Supervisory\n              Control and Data Acquisition systems, as required by National Institute of\n              Standards and Technology Special Publication (NIST SP) 800-82 and NIST SP\n              800-53, Revision 3.\n           \xe2\x80\xa2\t Improve existing procedures to ensure security assessment and authorization\n              packages are updated every 3 years or when a significant change occurs, as\n              required by NIST SP 800-37, Revision 1.\n\n\n\n\n10\n  NIST SP 800-37, rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems,\nFeb. 2010.\n\n                                                     8\n\n                                SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n\n               \xe2\x80\xa2\t Improve existing procedures to ensure system security plans and security\n                  assessment reports are updated as required to comply with the security baseline\n                  controls in NIST SP 800-53, Revision 3.\n               \xe2\x80\xa2\t Perform annual security assessments of a subset of a system\xe2\x80\x99s security controls, as\n                  required by NIST SP 800-37, Revision 1.\n\n           Management Response: IBWC concurred with the recommendation, stating that the\n           CIO \xe2\x80\x9cwill take all necessary action to comply with all items under this recommendation\n           and to comply with NIST SP 800-53, Revision 3, NIST SP 800-37, Revision 1, and SP\n           800-82.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n           be closed when OIG reviews and accepts documentation showing that IBWC has\n           implemented all items under this recommendation and has taken actions to comply with\n           the special publications specified.\n\nC.\t Configuration Management\n\n        IBWC had not implemented effective configuration management (CM) standards and\nprocedures for its IT environment. Although IBWC had CM standards and procedures in place,\nit did not account for the patch management process to evaluate patches for applicability,\ninstallation process, monitoring, and periodic review of the patch status on the systems. (b) (5)\n\n\n        According to NIST SP 800-53, Revision 3, security controls are the management,\noperational, and technical safeguards or countermeasures prescribed for an information system to\nprotect the confidentiality, integrity, and availability of the system and its information.\n\n           NIST SP 800-53, Revision 3, states:\n\n            The organization develops, disseminates, and reviews/updates [at an\n\n           organizational-defined frequency]: \n\n\n                   a.\t A formal, documented configuration management policy that\n                       addresses purpose, scope, roles, responsibilities, management\n                       commitment, coordination among organizational entities, and\n                       compliance; and\n\n                   b.\t Formal, documented procedures to facilitate the\n                       implementation of the configuration management policy and\n                       associated configuration management controls.\xe2\x80\x9d 11\n\n\n\n11\n     CM-1, \xe2\x80\x9cConfiguration Management Policy and Procedures.\xe2\x80\x9d\n\n                                                       9\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n        An IBWC official stated that the CM standards and procedures are currently being\n\xe2\x80\x9crevamped\xe2\x80\x9d but that the draft CM policy and procedures are currently being utilized. Without\ndetailed procedures that govern the performance of the CM processes, IBWC will not be able to\neffectively manage the IT security program, which could lead to the introduction of security\nweaknesses and inconsistent performance.\n\n       Recommendation 4. OIG recommends the Chief Information Officer develop and\n       implement security configuration management procedures and periodically assess\n       compliance with the implemented procedures, as required by National Institute of\n       Standards and Technology Special Publication 800-53, Revision 3.\n\n       Management Response: IBWC concurred with the recommendation, stating that the\n       \xe2\x80\x9cdraft Configuration Management policy and procedure is currently being reviewed by\n       management for approval by the Commissioner.\xe2\x80\x9d IBWC further stated, \xe2\x80\x9c With the\n       acquisition of new security appliances purchased in FY11, the IMD will be able to\n       evaluate patches for applicability, install, monitor and review patch status on all systems\n       in a much more efficient and effective way.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that IBWC has\n       implemented security configuration management procedures and periodically assessed\n       compliance with the implemented procedures.\n\n       Recommendation 5. OIG recommends that the Chief Information Officer develop\n       procedures for the oversight of all systems and hardware that are part of the International\n       Boundary and Water Commission operations, as required by National Institute of\n       Standards and Technology Special Publication 800-53, Revision 3.\n\n       Management Response: IBWC concurred with the recommendation, stating that the\n       IMD \xe2\x80\x9chas acquired hardware and software that will provide the necessary tools to\n       establish an effective continuous monitoring program.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that IBWC has\n       implemented procedures for the oversight of all systems and hardware that are part of\n       IBWC operations.\n\nD. Security Training\n        Although IBWC\xe2\x80\x99s security awareness training program requires all personnel to complete\nannual security awareness training and users with significant security responsibilities to complete\nspecialized training, OIG found that IBWC employees had not completed their general security\nawareness training and employees with significant security responsibilities had not completed\ntheir specialized training.\n\n\n\n                                                10\n\n                              SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n        OMB Circular No. A-130 12 mandates that agencies provide periodic computer security\nawareness training to all users as well as specialized training for individuals who have significant\nsecurity responsibilities. Training ensures that all users are knowledgeable about the rules of the\nsystem. However, IBWC officials did not enforce compliance with the security awareness\ntraining policy. An IBWC official stated that compliance with training had not been strictly\nenforced but that IBWC intends to train all employees by the end of the fiscal year.\n\n        NIST SP 800-50 13 states, \xe2\x80\x9cat a minimum, the entire workforce should be exposed to\nawareness material annually. A continuous awareness program, using various methods of\ndelivery throughout the year, can be very effective. Security training for groups of users with\nsignificant security responsibility (e.g., system and network administrators, managers, security\nofficers) should be incorporated into ongoing functional training as needed. the organization\nensures all users (including managers and senior executives) are exposed to basic information\nsystem security awareness materials before authorizing access to the system and thereafter (i.e. at\nleast annually). NIST SP 800-53, Revision 3, 14 states, \xe2\x80\x9c[T]he organization employs a formal\nsanctions process for personnel failing to comply with established information security policies\nand procedures.\xe2\x80\x9d\n\n       Without the completion of initial and annual security awareness training, personnel may\nbe unaware of new risks that may compromise the confidentiality, integrity, and availability of\ndata. As a result, personnel may be unable to recognize and respond appropriately to potential\nand actual security concerns.\n\n        Recommendation 6. OIG recommends that the Chief Information Officer enforce the\n        security awareness training policy requiring all personnel to attend initial and refresher\n        security awareness training and enforce consequences of noncompliance for personnel\n        who do not successfully complete the security awareness training, as required by National\n        Institute of Standards and Technology Special Publication 800-53, Revision 3, and Office\n        of Management and Budget Circular No. A-130.\n\n        Management Response: IBWC concurred with the recommendation, stating that the\n        IMD had \xe2\x80\x9cconducted five IT Security training classes immediately after the OIG visit in\n        August resulting in 235 employees out of 272 completing their annual IT Security\n        training.\xe2\x80\x9d IBWC also stated that the IMD \xe2\x80\x9chas also acquired a cloud based training\n        system that will allow for a much more efficient method to provide IT Security training to\n        IBWC personnel.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        implemented security awareness training policy requiring all personnel to attend initial\n\n12\n   OMB Circular No. A-130, revised, Management of Federal Information Resources, app. III, \xe2\x80\x9cSecurity of Federal\n\nAutomated Information Resources.\xe2\x80\x9d\n\n13\n   NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, pg.20, F/N13,\n\nOct. 2003.\n\n14\n   NIST SP 800-53, rev. 3, PS-8 Personnel Sanctions, Aug. 2009.\n\n\n                                                      11\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n        and refresher security awareness training and enforce consequences of noncompliance for\n        personnel who do not successfully complete the training.\n\n        Recommendation 7. OIG recommends that the Chief Information Officer enforce the\n        security awareness training requirement for those personnel with significant security\n        responsibilities, as required by National Institute of Standards and Technology Special\n        Publication 800-53, Revision 3, and Office of Management and Budget Circular No. A-\n        130.\n\n        Management Response: IBWC concurred with the recommendation, stating, \xe2\x80\x9cOf the\n        eight employees within the agency with significant security responsibilities, five attended\n        training resulting in approximately 63% of employees with significant security\n        responsibilities meeting this requirement. The remaining employees are scheduled to\n        obtain the required in FY12.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        implemented the security awareness training requirement for those personnel with\n        significant security responsibilities.\n\nE.\t Plan of Action and Milestones\n       IBWC had not effectively implemented a POA&M process. The implementation of a\nPOA&M process is important to assess the state of the GSS security posture and to aid in\noversight of IT investments. Specifically, OIG found the following deficiencies:\n\n     \xe2\x80\xa2\t The POA&Ms did not address findings identified during previous FISMA reviews.\n     \xe2\x80\xa2\t The POA&Ms were not properly updated and provided to the CIO on a quarterly basis.\n     \xe2\x80\xa2\t The POA&Ms did not contain all elements required by OMB, including details of the\n        estimated resource requirements and corrective action plans to close the POA&M\n        deficiencies. Also, changes to milestones for actions had not been completed.\n\n        OMB Memorandum M-08-21 15 states:\n\n        POA&Ms must . . . include all security weaknesses found during any other review\n        done by, for, or on behalf of the agency, including [Government Accountability\n        Office] audits, financial system audits, and critical infrastructure vulnerability\n        assessments. These plans should be the authoritative agency-wide management\n        tool, inclusive of all evaluations.\n\n        OMB Memorandum M-08-21 16 further states:\n\n\n15\n   OMB Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management\n\nAct and Agency Privacy Management, July 14, 2008.\n\n16\n   Ibid.\n\n\n                                                   12\n\n                                SENSITIVE BUT UNCLASSIFIED\n\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n\n        A [POA&M], also referred to as a corrective action plan, is a tool that identifies\n        tasks that need to be accomplished. It details resources required to accomplish the\n        elements of the plan, any milestones in meeting the task, and scheduled\n        completion dates for the milestones. The purpose of the POA&M is to assist\n        agencies in identifying, assessing, prioritizing, and monitoring the progress of\n        corrective efforts for security weaknesses found in programs and systems.\n\n    OMB Memorandum M-02-01 17 provides the required elements and procedures for the\nPOA&M process.\n\n         An IBWC official stated that the policy and procedures had not been approved by\nmanagement and were still in draft form. Without periodic updates and reviews of POA&M\nactivities, IBWC management may be unaware of the statuses of corrective actions. As a result,\ndelays in the implementation of corrective actions may not be appropriately identified and\nresolved in a timely manner.\n\n        Recommendation 8. OIG recommends the Chief Information Officer implement a Plan\n        of Action and Milestones (POA&M) process and review the quarterly POA&M reports\n        and all elements of the POA&M, as required by Office of Management and Budget\n        Memorandums M-02-01and M-08-21.\n\n        Management Response: IBWC concurred with the recommendation, stating that the\n        draft POA&M \xe2\x80\x9cpolicy and procedure, which includes controls to methodically address\n        findings and facilitate review by the CIO on a quarterly basis is currently being reviewed\n        by management for approval by the Commissioner.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        implemented a POA&M process and has reviewed the quarterly POA&M reports and all\n        elements of the POA&M.\n\nF. Remote Access\n        IBWC had not developed and implemented a remote access policy and procedure to\ncomply with NIST requirements. NIST SP 800-53, Revision 3, states that the organization\ndocuments, monitors, and controls all methods of remote access (for example, dial-up and the\nInternet) to the information system, including remote access for privileged functions.\nAppropriate organization officials authorize each remote access method for the information\nsystem and authorize only the necessary users for each access method.\n\n       An IBWC official stated that the access control (AC) policy and procedure document\ncontains procedures for remote access. However, OIG noted that the AC procedure did not\nadequately address the remote access process. Without proper policies and procedures that\n\n17\n OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\nOct.17, 2001.\n\n                                                   13\n\n                               SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\nrequire documentation of all requests and authorizations of system access, individuals may\nintroduce vulnerabilities into IBWC\xe2\x80\x99s network.\n\n        Recommendation 9. OIG recommends that the Chief Information Officer develop a\n        remote access policy and procedure, as required by National Institute of Standards and\n        Technology Special Publication 800-53, Revision 3.\n\n        Management Response: IBWC concurred with the recommendation, stating that the\n        IMD \xe2\x80\x9cis currently updating the existing Access Control policy and procedure to more\n        adequately document the remote access process.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that IBWC has\n        developed a remote access policy and procedure.\n\nG. Continuous Monitoring\n        IBWC had not developed a means to implement continuous monitoring of its information\ntechnology systems. OIG found that although IBWC had assessed some of the controls of the\noperating environment, these were manual controls and IBWC had not performed automated\nroutine security assessments of its system environment using the framework outlined in NIST SP\n800-53A. 18 In November 2009, IBWC performed the security test and evaluation to verify\ncompliance with its security policy guidelines and to evaluate the effectiveness of the security\ncontrols against anticipated threats. In addition, IBWC ensured that a comprehensive testing\nactivity was identified to cover all appropriate security requirements, involved all necessary\nindividuals, and ultimately provided the information needed to support the security assessment\nand authorization (formerly the certification and accreditation) process. However, IBWC had\nnot expanded the process to include the periodic re-performance of vulnerability scans for its\nsystems or automated routine performance of such scans on its enterprise network.\n\n        NIST SP 800-53, Revision 3, 19 states that the organization \xe2\x80\x9cscans for vulnerabilities in\nthe information system [in accordance with organization defined] and when new vulnerabilities\npotentially affecting the system/application are identified and reported.\n\n        NIST SP 800-53, Revision 3, 20 states:\n\n        The organization subsequently initiates specific follow-on actions as part of a\n        comprehensive continuous monitoring program. The continuous monitoring\n        program includes an ongoing assessment of security control effectiveness to\n        determine if there is a need to modify or update the current deployed set of\n        security controls based on changes in the information system or its environment\n18\n   NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, RA-5 Vulnerability\nScanning, July 2008.\n\n19\n   NIST SP 800-53, rev. 3, Monitoring Security Controls, pg. 27, Aug. 2009.\n\n20\n   Ibid.\n\n\n                                                      14\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\nof operation (RMF Step 6). In particular, the organization revisits on a regular\nbasis, the risk management activities described in the Risk Management\nFramework. In addition to the ongoing activities associated with the\nimplementation of the Risk Management Framework, there are certain events\nwhich can trigger the immediate need to assess the security state of the\ninformation system and if required, modify or update the current security controls.\nThese events include, for example:\n\n   \xe2\x80\xa2\t An incident results in a breach to the information system, producing a loss\n      of confidence by the organization in the confidentiality, integrity, or\n      availability of information processed, stored, or transmitted by the system;\n   \xe2\x80\xa2\t A newly identified, credible, information system-related threat to\n      organizational operations and assets, individuals, other organizations, or\n      the Nation is identified based on intelligence information, law enforcement\n      information, or other credible sources of information;\n   \xe2\x80\xa2\t Significant changes to the configuration of the information system through\n      the removal or addition of new or upgraded hardware, software, or\n      firmware or changes in the operational environment potentially degrade the\n      security state of the system; or\n   \xe2\x80\xa2\t Significant changes to the organizational risk management strategy,\n      information security policy, supported missions and/or business functions,\n      or information being processed, stored, or transmitted by the information\n      system.\n\nWhen such events occur, organizations, at a minimum, take the following actions:\n\n\xe2\x80\xa2\t Reconfirm the security category and impact level of the information system.\n   The organization reexamines the FIPS 199 security category and FIPS 200\n   impact level of the information system to confirm that the security category\n   and system impact level previously established and approved by the\n   authorizing official are still valid. The resulting analysis may provide new\n   insights as to the overall importance of the information system in allowing the\n   organization to fulfill its mission/business responsibilities.\n\xe2\x80\xa2\t Assess the current security state of the information system and the risk to\n   organizational operations and assets, individuals, other organizations, and the\n   Nation.\n   The organization investigates the information system vulnerability (or\n   vulnerabilities) exploited by the threat source (or potentially exploitable by a\n   threat source) and the security controls currently implemented within the\n   system as described in the security plan. The exploitation of information\n   system vulnerabilities by a threat source may be traced to one or more factors\n   including but not limited to: (i) the failure of currently implemented security\n   controls; (ii) missing security controls; (iii) insufficient strength of security\n   controls; and/or (iv) an increase in the capability of the threat source. Using\n\n\n                                         15\n\n                       SENSITIVE BUT UNCLASSIFIED\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n\n                     the results from the assessment of the current security state, the organization\n                     reassesses the risks arising from use of the information system.\n                  \xe2\x80\xa2\t Plan for and initiate any necessary corrective actions.\n                     Based on the results of an updated risk assessment, the organization determines\n                     what additional security controls and/or control enhancements or corrective\n                     actions for existing controls are necessary to adequately mitigate risk. The\n                     security plan for the information system is updated to reflect any initial\n                     changes to the original plan. A plan of action and milestones is developed for\n                     any noted weaknesses or deficiencies that are not immediately corrected and\n                     for the implementation of any security control upgrades or additional controls.\n\n                     After the security controls and/or control upgrades have been implemented and\n                     any other weaknesses or deficiencies corrected, the controls are assessed for\n                     effectiveness to determine if the controls are implemented correctly, operating\n                     as intended, and producing the desired outcome with respect to meeting the\n                     security requirements for the information system. If necessary, the security\n                     plan is updated to reflect any additional corrective actions taken by the\n                     organization to mitigate risk.\n\n                 Additionally, NIST SP 800-53, Revision 3, 21 states that the risk assessment policy\n          and procedures should include the following:\n\n                  a. A formal, documented risk assessment policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and\n                  b. Formal, documented procedures to facilitate the implementation of the risk\n                     assessment policy and associated risk assessment controls.\n(b) (5)\n\n\n\n\n          21\n          Ibid.\n   (b) (5)\n\n\n\n                                                          16\n\n                                        SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n        An IBWC official stated that there is no continuous monitoring program in place that\nincludes routine vulnerability scanning, log monitoring, and notification of unauthorized devices.\nAlso, policies and procedures detailing the strategy and plans for conducting continuous\nmonitoring activities are not documented. Without periodic reviews or the performance of risk-\nbased security assessments, new threats and vulnerabilities may not be identified and mitigated\nin a timely manner.\n\n           Recommendation 10. OIG recommends that the Chief Information Officer develop and\n           implement policies and procedures to perform continuous monitoring to include\n           automated routine vulnerability assessments for all major systems and general support\n           systems (GSS). The results of such security assessments should be reviewed, and Plans\n           of Action and Milestones should be developed for the improvement of the security\n           controls of major systems and GSS, as required by National Institute of Standards and\n           Technology Special Publications 800-53, Revision 3, and 800-53A.\n\n           Management Response: IBWC concurred with the recommendation, stating that the\n           IMD \xe2\x80\x9chas acquired hardware and software that will provide the necessary tools to\n           establish an effective continuous monitoring program.\xe2\x80\x9d IBWC also stated the IMD had\n           \xe2\x80\x9cinstalled a Solar Winds Orion network performance monitor that will grant them the\n           ability to monitor network activity.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n           be closed when OIG reviews and accepts documentation showing that IBWC has\n           developed and implemented policies and procedures to perform continuous monitoring to\n           include automated routine vulnerability assessments for all major systems and GSSs.\n\nH. Contingency Planning\n         IBWC\xe2\x80\x99s COOP does not comply with NIST SP 800-34. 24 Specifically, IBWC had not\nupdated its contingency plan and testing policies and procedures. Specifically, the IBWC COOP\nfor its GSS had not been updated to reflect significant changes to the environment, and testing\nhad not been performed.\n\n        NIST SP 800-34, Revision 1, 25 states that information systems are \xe2\x80\x9cvital elements\xe2\x80\x9d in\nmost business functions and that \xe2\x80\x9cit is critical\xe2\x80\x9d that the services provided by these systems be\nable to operate effectively without excessive interruption. The publication further states,\n\xe2\x80\x9cContingency planning supports this requirement by establishing thorough plans, procedures,\nand technical measures that can enable a system to be recovered as quickly and effectively as\npossible following a service disruption.\xe2\x80\x9d\n\n       An IBWC official stated that the field offices in Nogales, San Diego, and Yuma (AZ) are\nconfigured for a manual backup process and that the manual backup is performed remotely on a\nmonthly basis. The data is backed up on an on-site Terabyte external drive. There is no off-site\n\n24\n     NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010.\n25\n     Ibid.\n\n                                                        17\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n\nbackup for the three field offices. NIST SP 800-53, Revision 3, 26 requires agencies to identify\nan alternate storage site that is geographically separated from the primary storage site so as not to\nbe susceptible to the same hazards and to conduct annual tests of backup information to verify\nmedia reliability and information integrity.\n\n         An IBWC official stated that the COOP needs to be reassessed and that there was a\nmanual backup process because of the types of servers at the sites. Also, although an alternate\nsite is running, its status as a \xe2\x80\x9chot\xe2\x80\x9d or \xe2\x80\x9ccold\xe2\x80\x9d site 27 still needs to be determined. However, the\nlack of an updated contingency plan may prevent IBWC from accessing critical information and\nresources and resuming business functions if an extended outage and/or a disaster occurs.\n\n         Recommendation 11. OIG recommends that the International Boundary and Water\n         Commission finalize the Continuity of Operations site and conduct testing for operational\n         effectiveness, as required by National Institute of Standards and Technology Special\n         Publication 800-34, Revision 1.\n\n         Management Response: IBWC concurred with the recommendation, stating that the\n         IMD \xe2\x80\x9cis in the process of updating the current COOP policy and procedure as the\n         infrastructure at the COOP site in Las Cruces, NM continues to be developed.\xe2\x80\x9d IBWC\n         also stated that the IMD \xe2\x80\x9cis developing a continuity plan to be reviewed by management\n         to determine what level of COOP the IMD will be required to maintain, taking into\n         consideration the financial and maintenance requirements needed.\xe2\x80\x9d\n\n         OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n         be closed when OIG reviews and accepts documentation showing that IBWC has\n         finalized the Continuity of Operations site and conducted testing for operational\n         effectiveness.\n\n         Recommendation 12. OIG recommends that the International Boundary and Water\n         Commission identify an off-site backup for its field offices in Nogales (AZ), San Diego\n         (CA), and Yuma (AZ), as required by National Institute of Standards and Technology\n         Special Publication 800-34, Revision 1.\n\n         Management Response: IBWC stated that the recommendation is resolved in that the\n         IMD \xe2\x80\x9chas acquired the needed client to allow for the full offsite backup of all field\n         offices.\xe2\x80\x9d\n\n         OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n         be closed when OIG reviews and accepts documentation showing that IBWC has\n         identified an off-site backup for the three field offices specified.\n\n\n\n\n26\n  NIST SP 800-53, rev. 3, Aug. 2009.\n\n27\n  A hot site is a building already equipped with processing capability and other services, and a cold site houses\n\nprocessors that can be easily adapted for use.\n\n\n                                                          18\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n\n   I. Oversight of Contractor System\n\n             IBWC had not implemented an effective oversight program of its contractor system.\n\n\n                           Since IBWC had not developed policies and procedures to oversee the\n   San Diego operations, the field office relied heavily on contractor-produced policies and\n   procedures.\n\n\n\n\n           OIG also found that IBWC officials did not have adequate control over the IT functions\n   at the San Diego waste treatment plant or the IT assets purchased and maintained by the\n   contractor in support of operations. During its fieldwork, OIG found that the contractor had an\n   inappropriate degree of latitude on purchases of IT assets, with little or no input from IBWC\n   management. Additionally, contractor-owned software was operating on the local area network\n   (LAN) at the San Diego waste treatment plant without proper review and approval by IBWC\xe2\x80\x99s\n   IMD.\n\n           OMB Memorandum M-11-33 30 states: \xe2\x80\x9cAgencies must develop policies for information\n   security oversight of contractors and other users with privileged access to Federal data.\n   Agencies must also review the security of other users with privileged access to Federal data and\n   systems.\xe2\x80\x9d\n\n           An IBWC official stated that the inventory database had not been updated to remove old\n   components or include newly purchased components. The San Diego Field Office project\n   manager\xe2\x80\x99s understanding was that oversight of contractor operations was assigned to the field\n   office and the contracting officer\xe2\x80\x99s representative and that the IT functions rest with IMD.\n   However, the contracting officer\xe2\x80\x99s representative is responsible more specifically for the\n   employees and for hardware/operations of the plant rather than for the IT assets. Without\n   adequate contractor oversight, IBWC has minimal assurance that contractor personnel are\n   compliant with FISMA, OMB requirements, and NIST standards. Further, because the IMD has\n   no review and approval process, contractors may be purchasing IT assets that are not in the best\n   interest of IBWC. Finally, without proper oversight, there is an increased risk that data\n   collected, processed, and maintained is exposed to unauthorized access, use, disclosure,\n   disruption, modification, or destruction.\n\n             Recommendation 13. OIG recommends that the International Boundary and Water\n             Commission ensure that its Information Management Division is involved in the\n             oversight of information technology assets purchased and maintained by the contractor in\n\n(b) (5)\n\n   30\n        OMB Memorandum M-11-33, Sept. 14, 2011.\n\n                                                    19\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n       support of operations at the waste treatment plant in San Diego (CA), as required by\n       National Institute of Standards and Technology Special Publications 800-53, Revision 3,\n       and 800-82 and with Office of Management and Budget Memorandum M-11-33.\n\n       Management Response: IBWC concurred with the recommendation, stating that the\n       CIO \xe2\x80\x9cis requiring modifications to the contract in place, to ensure the IMD is notified in a\n       timely manner, of all planned technology asset purchases, in order to provide the required\n       level of oversight of new IT purchases and existing assets maintained by the contractor.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that IBWC has\n       implemented oversight of IT assets purchased and maintained by the contractor in\n       support of operations at the waste treatment plant in San Diego.\n\n       Recommendation 14. OIG recommends that the International Boundary and Water\n       Commission (IBWC) ensure that its Information Management Division reviews and\n       approves software prior to installation on IBWC assets, as required by National Institute\n       of Standards and Technology Special Publication 800-53, Revision 3, and Office of\n       Management and Budget Memorandum M-11-33.\n\n       Management Response: IBWC concurred with the recommendation, stating that the\n       CIO \xe2\x80\x9cis requiring modifications to the contract in place, to ensure the IMD is notified in a\n       timely manner of all planned software purchases in order to provide the required level of\n       oversight of new IT purchases and existing software maintained by the contractor.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that IBWC has\n       implemented a process to review and approve software prior to installation on IBWC\n       assets.\n\nJ. Security Capital Planning\n        Information security is not integrated into IBWC\xe2\x80\x99s Capital Planning and Investment\nControl process. IBWC did not provide OMB with a detailed explanation for the major\ninvestment related to its IT capital investment. Inadequate planning increases the risk that\nrequests for funding investments will not receive proper consideration. An IBWC official stated\nthat the resource management goals within the IBWC strategic plan did not include IT.\nAccording to IBWC officials, because IBWC is a small organization, its budget requirements are\nnot at the level established for reporting to OMB. IBWC understands the threshold to be\n$2 million, but IBWC current IT assets are approximately $100,000. However, IBWC\nacknowledged that the current assets do not include the SCADA systems. As such, IBWC had\nbeen using the IT workplan and had not been assessing the risk identified in the POA&Ms as\npart of the IBWC capital planning request. IBWC has been working on a year-to-year IT\nworkplan to identify high priority tasks to continue developing the IT environment.\n\n\n\n                                               20\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n\n\n                   OMB Memorandum M-11-33 31 mandates that IBWC \xe2\x80\x9cintegrate and fund IT security over\n          the life cycle of each system.\xe2\x80\x9d The memorandum also states that security requirements for a\n          steady-state (existing) system (including maintenance and operation costs at its current capability\n          and performance level) must be met before spending funds on new systems or modernizing an\n          existing system.\n\n                 The lack of integration between the POA&M process and the capital planning process\n          negatively affects the funding prioritization in IBWC. The current process does not properly\n          consider needed IT investments and subsequently fails to request necessary funding.\n\n                 Recommendation 15. OIG recommends that the Chief Information Officer ensure that\n                 all funding for information technology (IT) security investments and IT components is\n                 tracked, as required by Office of Management and Budget Memorandum M-11-33.\n\n                 Management Response: IBWC concurred with the recommendation, stating that the\n                 CIO \xe2\x80\x9cwill utilize and expand upon the existing budget account structure in place to track\n                 all expenses by Operating Allowance or Cost Center for all labor and non-labor costs to\n                 track all IT costs.\xe2\x80\x9d IBWC also stated that it \xe2\x80\x9cwill ensure that through an effective\n                 information security program\xe2\x80\x9d that IBWC \xe2\x80\x9cwill effectively protect information and\n                 systems as well as maintain the integrity, reliability, availability, and confidentiality of\n                 our information, consistent with Office of Management and Budget Memorandum M-00-\n                 07 and M-06-19.\xe2\x80\x9d\n\n                 OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n                 be closed when OIG reviews and accepts documentation showing that IBWC has ensured\n                 that all funding for IT security investments and IT components is tracked.\n(b) (5)\n\n\n\n\n       31\n          OMB Memorandum M-11-33, Sept. 14, 2011.\n   (b) (5)\n\n                                                          21\n\n                                        SENSITIVE BUT UNCLASSIFIED\n\x0c                                                                                                     (b) (5)\n\n                                         SENSITIVE BUT UNCLASSIFIED\n(b) (5)\n\n\n\n\n                    In addition to the weakness in physical and environmental protection already\n          mentioned, OIG identified a weakness with physical access to the server room at IBWC\xe2\x80\x99s United\n          States Section headquarters in El Paso. Access is not granted on a \xe2\x80\x9cneed to know\xe2\x80\x9d basis; rather,\n          all IMD staff members have access. The server room is accessed through a locked door with a\n          cipher lock; however, employees do not have unique combinations (all employees use the same\n          combination for access), and this defeats the accountability and control to IBWC\xe2\x80\x99s information\n          and information systems.\n\n                    According to NIST SP 800-53, Revision 3, 33 the organization develops and keeps\n          current a list of personnel with authorized access to the facility where the information system\n          resides (except for those areas within the facility officially designated as publicly accessible),\n          issues authorization credentials, reviews and approves the access list and authorization\n          credentials, and removes from the access list personnel no longer requiring access.\n                    (b) (5)\n\n\n\n\n                                                                            In addition, there were no\n          emergency shutoffs of power or emergency lighting within the computer area to prevent damage\n          to equipment or injury to personnel. Finally, IBWC had not maintained fire suppression and\n          detection devices for water and humidity.\n\n                    NIST SP 800-53, Revision 3, 34 states that \xe2\x80\x9cthe organization protects power equipment\n          and power cabling for the information system from damage and destruction.\xe2\x80\x9d NIST SP 800-53\n          also states that \xe2\x80\x9cthe organization provides the capability to shut off power to the information\n          system or individual system components in emergencies; provides a short-term uninterruptible\n          power supply to facilitate an orderly shutdown of the information system in the event of a\n\n          33\n           NIST SP 800-53, rev. 3, PE-2 Physical Access Authorizations, Aug. 2009.\n          34\n           Ibid, PE-9 Power Equipment and Power Cabling, PE-10 Emergency Shutoff, PE-11 Emergency Power, PE-12\n          Emergency Lighting, and PE-13 Fire Protection apply.\n\n                                                            22\n\n                                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\nprimary power source loss; employs and maintains automatic emergency lighting for the\ninformation system that activates in the event of a power outage or disruption and that covers\nemergency exits and evacuation routes within the facility; and employs and maintains fire\nsuppression and detection devices/systems for the information system that are supported by an\nindependent energy source.\xe2\x80\x9d\n\n           Without an effective physical and environmental protection plan, personnel may be\nunaware of risks that could compromise the confidentiality, integrity, and availability of data or\nresult in injuries to personnel and damage or destruction of IBWC IT assets.\n    (b) (5)\n\n\n\n\n              Recommendation 19. OIG recommends that the International Boundary and Water\n              Commission implement a process to review, update, and approve the Information\n              Management Division staff access list to the server room at its office in El Paso (TX),\n              as required by National Institute of Standards and Technology Special Publication\n              800-53, Revision 3.\n\n              Management Response: IBWC concurred with the recommendation, stating that the\n              CIO and the IMD recognize \xe2\x80\x9cthe risks associated with an unmonitored entry way into\n              the agency\xe2\x80\x99s main LAN [local area network] room and will take the necessary steps to\n              implement an additional proximity card reader to limit access to only authorized IMD\n              personnel.\xe2\x80\x9d\n\n                                                   23\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                                                                    (b) (5)\n\n                            SENSITIVE BUT UNCLASSIFIED\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation showing that IBWC has\n          implemented a process to review, update, and approve IMD\xe2\x80\x99s staff access list to the\n          server room at its office in El Paso.\n\n          Recommendation 20: (b) (5)\n(b) (5)\n\n\n\n\n  (b) (5)\n\n\n\n\n          Recommendation 21. OIG recommends that the International Boundary and Water\n          Commission determine the most cost-effective protective measures for fire prevention\n          and damage to file servers, as required by National Institute of Standards and\n          Technology Special Publication 800-53, Revision 3.\n\n          Management Response: IBWC concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cis working with the IMD to issue specific guidance to the San Diego and Yuma\n          Area Operations Managers, detailing actions required removing all unnecessary items\n          out of the server rooms to minimize or eliminate the potential of damage to equipment\n          or injury to personnel.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation showing that IBWC has\n          implemented the most cost-effective protective measures for fire prevention and\n          damage to file servers.\n\n\n\n\n                                             24\n\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                 List of Recommendations\n\n\nRecommendation 1: OIG recommends that the Chief Information Officer ensure that all assets\nare accounted for in the inventory system and develop a process that updates, not less than\nannually, the International Boundary and Water Commission\xe2\x80\x99s (IBWC) system inventory when\nchanges are made to those information systems operated by or under the control of IBWC or by\nthird-party contractors or agencies on behalf of IBWC, as required by the Federal Information\nSecurity Management Act.\n\nRecommendation 2: OIG recommends that the Chief Information Officer improve the risk\nmanagement strategy at the organizational level for assessing, responding to, and monitoring\ninformation security risk, as required in National Institute of Standards and Technology Special\nPublication 800-37, Revision 1.\n\nRecommendation 3: OIG recommends that the Chief Information Officer:\n\n   \xe2\x80\xa2\t Develop the security assessment and authorization packages for the Supervisory Control\n      and Data Acquisition systems as required by National Institute of Standards and\n      Technology Special Publication (NIST SP) 800-82 and NIST SP 800-53, Revision 3.\n   \xe2\x80\xa2\t Improve existing procedures to ensure security assessment and authorization packages\n      are updated every 3 years or when a significant change occurs, as required by NIST SP\n      800-37, Revision 1.\n   \xe2\x80\xa2\t Improve existing procedures to ensure system security plans and security assessment\n      reports are updated as required to comply with the security baseline controls in NIST SP\n      800-53, Revision 3.\n   \xe2\x80\xa2\t Perform annual security assessments of a subset of a system\xe2\x80\x99s security controls, as\n      required by NIST SP 800-37, Revision 1.\n\nRecommendation 4: OIG recommends the Chief Information Officer develop and implement\nsecurity configuration management procedures and periodically assess compliance with the\nimplemented procedures, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nRecommendation 5: OIG recommends that the Chief Information Officer develop procedures\nfor the oversight of all systems and hardware that are part of the International Boundary and\nWater Commission operations, as required by National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\nRecommendation 6: OIG recommends that the Chief Information Officer enforce the security\nawareness training policy requiring all personnel to attend initial and refresher security\nawareness training and enforce consequences of non-compliance for personnel who do not\nsuccessfully complete the security awareness training, as required by National Institute of\nStandards and Technology Special Publication SP 800-53, Revision 3, and Office of\nManagement and Budget Circular No. A-130.\n\n\n\n                                               25\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nRecommendation 7: OIG recommends that the Chief Information Officer enforce the security\nawareness training requirement for those personnel with significant security responsibilities, as\nrequired by National Institute of Standards and Technology Special Publication SP 800-53,\nRevision 3, and Office of Management and Budget Circular No. A-130.\n\nRecommendation 8: OIG recommends the Chief Information Officer implement a Plan of\nAction and Milestones (POA&M) process and review the quarterly POA&M reports and all\nelements of the POA&M, as required by Office of Management and Budget (OMB)\nMemorandums M-02-01 and M-08-21.\n\nRecommendation 9: OIG recommends that the Chief Information Officer develop a remote\naccess policy and procedure, as required by National Institute of Standards and Technology\nSpecial Publication SP 800-53, Revision 3.\n\nRecommendation 10: OIG recommends that the Chief Information Officer develop and\nimplement policies and procedures to perform continuous monitoring to include automated\nroutine vulnerability assessments for all major systems and general support systems (GSS). The\nresults of such security assessments should be reviewed, and Plans of Action and Milestones\nshould be developed for the improvement of the security controls of major systems and GSS, as\nrequired by National Institute of Standards and Technology Special Publications 800-53,\nRevision 3, and 800-53A.\n\nRecommendation 11: OIG recommends that the International Boundary and Water\nCommission finalize the Continuity of Operations site and conduct testing for operational\neffectiveness, as required by National Institute of Standards and Technology Special Publication\n800-34, Revision 1.\n\nRecommendation 12: OIG recommends that the International Boundary and Water\nCommission identify an off-site backup for its field offices in Nogales, (AZ), San Diego (CA),\nand Yuma (AZ), as required by National Institute of Standards and Technology Special\nPublication 800-34, Revision 1.\n\nRecommendation 13: OIG recommends that the International Boundary and Water\nCommission ensure that its Information Management Division is involved in the oversight of\ninformation technology assets purchased and maintained by the contractor in support of\noperations at the waste treatment plant in San Diego (CA), as required by National Institute of\nStandards and Technology Special Publications 800-53, Revision 3, and 800-82 and with Office\nof Management and Budget Memorandum M-11-33.\n\nRecommendation 14: OIG recommends that International Boundary and Water Commission\n(IBWC) ensure that its Information Management Division reviews and approves software prior\nto installation on IBWC assets, as required by National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3, and Office of Management and Budget Memorandum\nM-11-33.\n\n\n\n\n                                                26\n\n                              SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                                                                                (b) (5)\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\n   Recommendation 15: OIG recommends that the Chief Information Officer ensure that all\n   funding for information technology (IT) security investments and IT components is tracked as\n   required by Office of Management and Budget Memorandum M-11-33.\n(b) (5)\n\n\n\n\n   Recommendation 19: OIG recommends that the International Boundary and Water\n   Commission implement a process to review, update, and approve the Information Management\n   Division staff access list to the server room at its office in El Paso (TX), as required by National\n   Institute of Standards and Technology Special Publication 800-53, Revision 3.\n(b) (5)\n\n\n\n\n   Recommendation 21: OIG recommends that the International Boundary and Water\n   Commission determine the most cost-effective protective measures for fire prevention and\n   damage to file servers, as required by National Institute of Standards and Technology Special\n   Publication 800-53, Revision 3.\n\n\n\n\n                                                    27\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n\n\n                   Appendix A. Objectives, Scope, and Methodology\n\n        To fulfill its responsibilities related to the Federal Information Security Management Act\nof 2002 (FISMA), the Office of Inspector General (OIG), Office of Audits, visited the El Paso\n(TX) headquarters and the San Diego (CA) and Yuma (AZ) field operations offices to evaluate\nthe International Boundary and Water Commission\xe2\x80\x99s (IBWC) information technology security\nprogram and practices and to determine the effectiveness of the program for FY 2011.\n\n        FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency or\ncontractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency\xe2\x80\x99s inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n        OIG conducted its evaluation from June through October 2011. In addition, OIG\nperformed the evaluation in accordance with generally accepted government auditing standards\n(GAGAS) and with FISMA, OMB, and National Institute of Standards and Technology Special\nPublication guidance. GAGAS requires the audit to be planned and performed to obtain\nsufficient, appropriate evidence to provide a reasonable basis for its findings and conclusions\nbased on the audit objectives. OIG believes that the evidence obtained provides a reasonable\nbasis for its findings and conclusions based on the audit objectives.\n\n        OIG performed fieldwork from July through October 2011. The fieldwork was\ncompleted before OMB Memorandum M-11-33, dated September 14, 2011, which provided\ninstructions for FY 2011 reporting requirements, 1 was issued. OIG reviewed the memorandum\nand evaluated its impact on the results of the evaluation but determined that no changes were\nrequired.\n\n\n\n\n1\n OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, dated Sept. 14, 2011.\n\n                                                  28\n\n                               SENSITIVE BUT UNCLASSIFIED\n\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n          Appendix B. Followup of Recommendation From the FY 2010 \n\n            Federal Information Security Management Act Report\n\n        The FY 2010 Federal Information Security Management Act (FISMA) evaluation was\nconducted by an independent public accounting firm, which issued its report (Audit of the\nInternational Boundary and Water Commission Federal Information Security Management Act\nissued July 30, 2010) with one consolidated finding and recommendation. The evaluation team\nreviewed actions implemented by management to respond to the findings identified in the FY\n2010 FISMA report.\n\nFY 2010 FISMA Recommendation\nWe recommend that USIBWC management continue its efforts to ensure that its information\nsecurity program complies with the standards and guidelines established by NIST and OMB.\n\nThe status of the recommendation as presented in the report:\n\n2011 Status: Closed. OIG reviewed the findings related to the recommendation and noted that\nall findings were lumped into one recommendation. However, OIG separated each finding and\nassigned separate recommendations in the FY2011 FISMA evaluation to provide IBWC\nmanagement the ability to close the recommendation as corrective action is completed rather\nthan waiting until all of identified components of the recommendation are corrected.\n\n\n\n\n                                               29\n\n\n                             SENSITIVE BUT UNCLASSIFIED\n\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\n\nAppendix C. OIG Outline for Action: Physical Security Concerns\n\n    at the International Boundary and Water Commission\n\n\n\n                                                              Un ited Sta tes Department of S ta te\n                                                              and the Broadcasting Board of Governors\n\n                                                              Office oj Inspector General\n\n\n                                                                   AUG 26 2011\n The Honorable Edward Drusina, U. S. Commissioner\n lntemational Boundary and Water Commission\n United States and Mexico, U.S. Section\n 4171 North Mesa Street, Suite C- I 00\n EI Paso_ TX 79902- 1441     U\n Dear Commiss~sina:\n\n in accordance with the Federal lnfonnation Security Management Act (FlSMA) of2002 (public\n Law 107-347, Title Ill) , the Department of State, Office oflnspector General (010), recently\n conducted a review of the International Boundary and Water Commission\'s (TBWC) infonnation\n security program and practices. The objective of this review was to evaluate the progress IBWC\n bas made in implementing an effective infonnation security pro!:,JTam and related practices.\n\n OIG \' s Office of Audits perfonned the review at the EI Paso (TX) headquarters and at the Yuma\n (AZ) and San Diego (CA) field operations offices. The complete results of the review will be\n issued in the FY 2011 IBWC FISMA report. However. during its review, OIG identified two\n physical sccurity concerns that require your immediate attention : lack of completion of\n background investigations of employees and contractors at IBWC and lack of control procedures\n over the remote gate devices and access to IBWC operations in San Diego. The findings and\n reconunendations are outlined in the enclosed OIG Outline for Action.\n\n Although these recommendations will be included in DIG\'s FY 2011 IBWC FISMA report,\n immediate action is needed to address these security issues. Therefore. please provide a response\n to the recommendati ons within 10 days of the date of this correspondence.\n\n If you have any questions , please contact Evelyn R. Klemstine. Assistant Inspector General for\n Audits. by email at klem stinee(Q)state.gov or at (202) 663-0372 or Jerry Rainwaters. lnformation\n Technology Division Director, by email at raimvatersj @ state.gov or at (703) 284- 1841.\n\n Sincerely,\n\n\n\n\n Enclosure\n\n cc: USIBWBC \xc2\xad    (b) (5)\n     WHAIMEX\n                              SENSITIVE BUT UNC LASS IFI E D\n                                         DRA FT\n\n\n\n\n                                                  30 \n\n\n                            SENSITIVE BUT UNCLASSIFIED\n\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n(b) (5)\n\n\n\n\n                      31 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n\n(b) (5)\n\n\n\n\n                      32 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n\n(b) (5)\n\n\n\n\n                      33 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n\n     Appendix D. International Boundary and Water Commission\n\n                Response to OIG Outline for Action\n\n\n                             INTERNATIONAL BOUNDARY AND WATER COMMISSION\n                                       UNITED SfATES AND MEXICO\n\n                                                      September 2, 20 II\n\n\n\nOFFTCE OF TItE COMMI$lONER\n  UNTTF..osrAl\'ESSECnON\n\n\n\n\n      United States Department of State\n      Harold W. Geisel\n      Deputy Inspector General\n      Office of Inspector General\n      Washington, D. C. 20520\n\n\n      Subject: OIG Outline for Action: Physical Security Concerns at the International Boundary and\n      Water Commission (JBWC)\n\n\n      Dear Mr. Geisel,\n\n      Thaok you for the opportunity to respond to findings and recommendations reported in the OIG\n      Outline for Action: Physical Security Concerns at the International Boundary and Water\n      Commissioner report, identified during the conduct of the Federal Infonnation Security\n      Management (FISMA) of2oo2 (Public Law 107-347, Title III) review dated August 26, 2011.\n\n      We are pleased to report that immediate steps have been initiated to implement actions to\n      respond to findings and recommendations identified. Specific details for each finding and\n      T~commendation         are provided attached.\n\n\n\n\n             The Commons, Building C, Suite tOO. 4171 N. Mesa Street. EI Paso, Texas 79902-1441\n                       (915) 832-4100. Fax: (915) 832-4190. http:! Iwww.ibwc.gov\n\n\n\n\n                                                             34\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n(b) (5)\n\n\n\n\n                      35 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n(b) (5)\n\n\n\n\n                      36 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n(b) (5)\n\n\n\n\n                      37 \n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n             5\n\n\n\n\n            38 \n\n\nSENSITIVE BUT UNCLASSIFIED\n\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\nAppendix E. International Boundary and Water Commission Response\n\n\n\n\n\n                        INTERNATIONAL BOUN D ARY AND WATE R COMMISSION\n                                  UN ITEDSTATF.S AND MEXICO\n\n                                                   Novemb ..T 9, 20 11\n\n\n   /I.-Ir. Harold W. Geisel\n   United States Department of State\n   De put y Ins pe<:tor Geneml\n   Office of Ins pector General\n   Washington, D. C . 20520\n\n   Subject: Evaluation of th e Uni ted States Sectio n, Int ernati o nal   J3.O I~lda ry   and Water COlllmission\n   (lBWe) Info rnlation Sccurity Progrant\n\n   Dcar Mr. Ge isel:\n\n   \'!1tank you fo r the oppo rtunit y to rev iew and comm ent on the d raft repo n and recommcndations. n lc\n   lowe is cager to fu lfil l its responsibilities re lated to eom plitUlee w ith the Fcdi!ral Inlo rmati on Sccurit y\n   Mana gement Act, and thi s eval uation has provided us clea r obj ecti ~\'es towards achii!vin g that goa l.\n\n   We arc pleased to submit the follow ing respo nses for you r review and co nsideration for incl usion in\n   th e final report . Specific det<1il s for each finding and rccom mend<1t ion are provi ded in Ihe <1l1ached.\n\n                                                      Sincerely,\n\n\n                                                     dJ~\n                                                      Edward Dmsina, P. E.\n                                                      COllllllissioller\n\n\n\n\n           11lc Com m o ns, Bu ilding C, Su ile 100 . 4171 N. Mesa Street . E1 Paso, Texas 79902-144]\n                        (915) 832-4100 . Fax: (915) 832-4190 . h ltp://wlVw.ibwc.gov\n\n\n\n\n                                                          39 \n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nControl Weakness A. Systemlnvenloly - IBWC has not implemented a proce.u or procedure 10 updale\nand lIIanage its in/ormalion technology (17) assets. Wilhozjl a process to properly identify. documenl\nand maintain an inventOlY of systems. IBWC may nOI have an acC/,rate accounting of all IT assets and\nrelated system inlmiaces and underlying .mpport systems_\n\nReculIlmendation 1 "010 rccOlllmends that the C IO en~ u rc that all assets arc accou nted for in the\ninventory system and develop a process that updates, not less than amlUally, the mwc\'s system\ninventory when changes arc made to those infonllation systems operatcd by or Wlder the control of\n18WC, or by third party contractors or agencies on behalf of IBWC as required by the federal\nInfonnation Sectlrity Ivlanagement Act"\n\nResponse/Action: Concur. TIle Infonllation Management Division has initiated the development of its\nown IT asset inventory, in addition to the one maintained within the Department of State Integrated\nLogistics l\\-lanagcmcnt System (ILl\\\'iS), ill order to accurately ac<:ounl for all IT asse ts that make up the\nGeneral Support System and existing Supervisory Control and Data Acquisition (SCADA) systems\nidentified in San Diego, CA, Nogales, AZ, Amistad and Falcon, TX. Current system inventory\ndocumentation and the existing System Security Plan (SSP) are being updated to inelude the identified\nSCADA systenls mid the asselS identified in the I" and 3rd fl oor wiring closets. The existing SSP is\nalso being updated to identify the intcrfaces between the Headquarters and field office UNs, and to\ndocument oth,,\'!" networks not operated by the ageney_ All scheduled field officc visits by the 1M ]) will\ninclude a thorough invcntory of all IT assets and documentation or their locations. Newly developed\nConfiguration Management documentation, particularly system architecture changcs that involvc thc\naddition of a new configuration item, will contain a method or requiring that the system inventory and\nrelated documentation be updated upon full implementation. The existing contract with contractors\nthat operate systems under thc IBWC\'s control is in the process of being modificd to require that\nacquisition of new a~sc ts he accounted for and approved by the Infonnation Management Div i~ ion\n(I ~\'ID) and call for an annual inventory.\n\n\nControl Weakness B: RiskNfanagemenr Program - IBWC\'s risk management program/or information\nsec1Irity needs improvement at the organization and system levels. At the organizational level. IBWC\nhad not implemented a risk managemenlfralllework and information security poliCies and procedures\nthat describe the roles and responsibilities 0/ key participants. 010 f01lnd that IBWC did not have\nprocedures for the risk management framework or information security poliCies and procedures that\ndescribe the roles and responsibilities of key participants_ As sllch. 010 could not review the risk\nmanagement framework and how lBWC manages iriformation securily risk..\n\nReco mmend ation 2: "010 recommends that the Chief Infomlation Officer improve the risk\nmanagenlent strategy at the organizational level lor assessing, respond ing to, :Uld monitoring\ninfomlation security risk a~ n:quin:d in National Institute of Stalldard~ and Techrwlogy Special\nPublication 800-37 Rev ision I. "\n\nRes(}on.~dAction.-  Concur. \xc2\xb7nle CIO h~ initiated steps neces~ary to bring ab()ut an elTective ri~k\nmanagement frmllework and policies and procedures in accordance wi th NIST SP 800-37 Revision 1.\nTIle IM D has beglUl updating the existing System Security Plan to include all current security baseline\ncontrols, changes in the ass and identified SCADA systems. TIle IMD will prepare a new security\nassessment mid authorization package to apply for and achieve an Alllhorit y to Operate designation\nfrom the new Designated Authority in FYI2. Following training of two IT Specialists on SCADA\n\n\n\n\n                                                    40 \n\n\n                           SENSITIVE BUT UNCLASSIFIED\n\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nsecurit y in November, a securit y assessment and authorization packages will be completed for all\nidentified SCADA systems.\n\n\nRecommendation 3: \'\'OIG recommends that the Chiefiniomllltioll Ollicer:\n           Develop the security assessment and authorization p~ekages for thc Supervisory Control\n           and Data Acquisition systems as required by National Institute of Stmldards mId\n           TeciUlology Special Publication (NIST SP) 800-82 and NIST SP 800-53, Revision 3.\n           Improve cxisting procedures to ensure security assessment and authorization packages\n           are updated every 3 years or when a significmll change occurs, as required by NIST SP\n           800-37, Revision I.\n           Improve existing procedures to ensure systcm security plans mId security asscssment\n           reports are updated as required to comply with the securit y baseline controls in NIST SP\n           800-53, Revision 3.\n           Perfonn mlllual security asseSSlIlents of a subset of a system\'S seeurit y eontrols as\n           required by NIST SP 800-37, Revision I.\n\nRe~fJOn5e/A ct/On Concur. \'Ill(: CIO will take a ll necessary action to comply with all items under this\nrecommendation and to comply with NIST S P 800-53, Revision 3, NIST S P 800-37, Revision I, and\nSP 800-82.\n\nControl Wookness C: Configuration Management - IBWC had not implemented effective configuration\nmanagement (CM) stcwdards (wd procedures for its IT environment. Although IBWC had CM\nstandard.~ and procedures in place. it did not aCCOlml for the patch management proces.~ to evaluate\npatches for applicability. installation process, monitoring. and periodic review of the patch status on\nthe systems. Further. IBWC did not maintain control over all hardware connected to its SCADA system\nin San Diego.\n\nRecommendation 4: \'\'OIG fCcommends the Chief Infomlation Olliccr dcvelop mId implement\nsecurity configuration mmlagemcnt procedures and pcriodieally asscss compliance with the\nimplemented procedures as required by Nat ional Institute of Stmldards and Technology Special\nPublication 800-53, Re vision 3."\n\nResponse/Action: Concur. llh~ draft Configuration Management po licy and procedure is currently\nbeing reviewed hy management for approval by the Commissioner. \'[ne CIO has access to the [1I.\xc2\xb7[[Ys\ncollaboration intrmlct ~itc to allow eon~tant asscssments on complianee with the newly implemcnted\nprocedures. With the acquisition of new slX\'urity appliances purchased in FYII , the IA\'! D will be able\nto evaluate patches for applicahi[ity, install, m<mitor and rev icw patch status on all systems in a much\nmore efficient and elTective way.\n\nRecommendation 5: "O[G recommends the Chief Infonnation Officer develop procedures for the\no\\"er.;ight or all systems and hardware that are part I)r the Intemati()tlal Boundary and Water\nCommission operations as required by National Institute of Standards and Technology Special\nPubl ication XOO-53, Re vision 3."\n\nResponse/Action: Concur. \'111e IMD has acquired hardware alld software t hat will provide the\nnecessary tools tl) estahlish an clTcctive continuous monitoring program. \'Inese assets will help the\nI[I.\xc2\xb7II) detect and measure the elTectiveness of security contmls appl ied within the GSS. All acquired\nitems arc in the process of being configured and implt11lcnted. Ihe IMD has already installcd and\n\n\n\n\n                                                  41 \n\n\n                          SENSITIVE BUT UNCLASSIFIED\n\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nconfigured a monitor in the general area of the lMD that automatically scrolls through the status\nscreens of several critical systems and services in order to keep them moni tored in real-time. A\nsoftware application called "RcdLine" whieh works with thc enterprise email system has recently been\nconfigured to email n.... D staff\' if any of the necessary services go down, or are showing signs of\nfailure. Additional equipment include an lntmsion Detection System (IDS), Network Admissions\nControl (NAC) and a Network Scanner which will all provide automated methods of detecting changes\nwithin our GSS and notify the IMD of compromised PC \'s or those that may show irregular activity.\nWith the installation of new switches at HQ\'s and all field oflices, the I!\\"ID will gain port level\nvisibility of all IT assets to infornl ollr PCrsOlUlcl of any signs of configuration changes or unauthorized\nacti vity. TIle IMD has also recently installed a Solar Winds Orion network perfonnance monitor that\nhas greatly enlHUlced our ability to monitor network activity. CISCO works has also been installed\nwhich sends alerts to IMD stafTwhen certain network activity thre;;holds have been exceeded or show\nsigns of potentially dangerous acti vity.        A thorough inventory of all hardwa re cotUlected 10 the\nSCADA system in San Diego has been completed. In addition, the contract currently in place for this\nOovenllllent Cftvned, Contractor Operated sitc is being modified to ensure control ovcr all asse ts\nlocated at the site is managed by the IBWC. TIle contractor will also be required to update their\ninternal policy and procedures to designate oversight of all systcms and hardware to t he Jr.-ID.\n\nControl Weakness D: Security Training. Although IBWC\'s securiry awareness training program\nrequires all personnel to complete annual security awareness training and users with slgmficant\nse(.11rity responsibilities 10 complete speCialized training. OIG found that If3WC employees had not\ncompleted their general security awareness training and employees with significant security\nresponSibilities had not completed their specialized training.\n\nRecomlllend ation 6: " 010 recommends the C hief lnfonnation Otricer enforce the securit y awa reness\ntraining policy requiring all pcrso nnel to attend initial and refreshcr sceurit y awareness training and\nenforce (.\'on scquencc~ ofnon-compliancc for personnel who do nOi ~ lK\'Ces~ full y (.\'Omplete thc security\nawareness training as required by National Institute of Standards and Teclmology Special Publication\nSP 800-53, Revision 3, and Officc of Management and Budget Circular No. A-l30."\n\nResponse/Action: Concllr. TIle IMD conducted five IT Security training classes immediately alter the\nOIG vi~it in Augus t resulting in 235 cmployecs out of 272 completing thcir annual IT Security\ntraining. Ten out of HQ\'s and 27 from thc field ofiiccs did not attend thc training ses~io n s re~ ultin g in\napproximatdy 87% completion rate. All employees at HQ \'s that did not attend training completed\ntheir tmining through altlTIlatc means after the September 30u, deadline. Employees in the field ofiiecs\nwhich have not conducted thc training have had their accounts di~abled until they arc able to (.\'O mplete\nthe IT Sccurity course. The IMD is maintaining the required doculllentation for all training conducted,\nalong with attendancc rosters. The It\\H) has also acq uired a cloud hased training s~tem that will\nallow for a much mort: efficient method to provide IT Security training 10 IBWC personne l. \xc2\xb7nle no:w\nsystcm will establish a username and password for each employee to enter thc training and their\ncomplelion of ove r twelvc modules will bc monitored, to includc scoring of review questions at thc\nend of each module.\n\nRecommendation 7: "OIG recommends the Chief lnfonuation Otricer enforce the securit y awareness\ntraining requirement for those personnel with significant ~ecurity responsibilities as required by\nNational Institute of Standards and Technology Special Publication SP 800-53, Revision 3, and OUiee\nof Management and Budgct Circular No. A- IJO. "\n\n\n\n\n                                                    42 \n\n\n                           SENSITIVE BUT UNCLASSIFIED\n\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nResponse/Action: Concur. Of the eight employees within the age ncy with significant securit y\nresponsibilities, fi ve at1ended training resulting in approximately 63% of employees with signific(Ult\nsecurity responsibilities meeting this require ment. TIle remai ni ng employees arc scheduled to obtain\nthe required in FY I 2.\n\nControl Weakness E: Plan ofAction and Milestones\xc2\xb7 WIVC had not effectively implemented a Plan of\nAction and Milestones (POA&U) process. The implementation of a POA&M process is important to\nassess the state ofthe OSS security posture and to aid in oversight of IT investments.\n\nRecommendation 8: "OIG recommends the Chief lnfonnation OOicer implement a Plan of Action\nand ~\xc2\xb7.lilestones (POA&lvl) process, and re view the quarterly POA&r..\xc2\xb7[ reports and all elements of the\nPOA&M m; required by Office of MlUlagement and Budget (Ol\\H3) Memorandum l\\\'[ \xc2\xb702\xc2\xb701lUH.I OMB\nMemorandum M-08-2IA-130.\xc2\xb7\'\n\nRe~fJOn~e/Act/On    Concur Thc draft Plan of AL1.ion lUld ~"ilc~tones policy and procedure, which\nincludes controls to methodicnlly address findings lUld facilitate review by the CIO on a quanerl y basis\nis eUITCntl y bcing reviewed by management for approval by thc Commissioncr. TIle new policy and\nprocedu re ensures all req uired infonnation within cach PoA&M contains required infomlation ~ u ch as\nresource requirements, corrective action milestones required to close the PoA&II:! deficiency lUld\nchanges to milestones. TIle Office of i\\\'llUlagement and Budget\'s (OMB) ?vicmorandullI M-02-01 and\nM-08-2IA-130 were reviewed to ensure those require ments are included in the lIew policy and\nprocedu re.\n\nControl Weaknes.f p. !?emote Access - II3IVC had not developed and implemented a remote acce.u\npolicy and procedure to comply with NI:::\'j requirements. NI:::\'T SF 800-53 Revision 3 states that the\norgcmizC!lion documents. monitors, und controls all methods of remote access (for example. dial-up\nand the Internet) to Ihe information syslem. ineluding remole access for privileged jimctions.\nAppropriate organization offiCials alllhorize each remote access method for the information system\nand authorize only the necessary IIsers for each access method.\n\nRccommcndation 9: "010 recommends t he Chief Infonnation Officer develop a remote access policy\nand proccdure as required by Nalionallnstitutc of Standards and Technology Spccial Publication SP\n800-53, R ev i ~io n 3.0. A-130."\n\nRemon~e/Act/On     Concur The 1M]) is cUTTently updating the existing AL\'CCSS ContT()1 policy and\nprocedurc to more adcq uatcly document the rcmote acce~s procL\'!;s. The updatoo documcntation will\naddress the methods by which the agency monitors and controls all means of femote access to the\ninfomJat ion system, including remote acccss for privileged functions .\n\nControl Weakness G: Continuous Monitoring IBWC hud not developed u means to implement\ncontinllOIl.f monitoring ofits infornwtion technology system.f. DIG (Ollnd thUl although II3WC assessed\nsome of the controls of the operating environment. !he.w were manual controls and IRWC had not\nperformed uutomated routine secllrity assessments of its system environment using the framework\noutlined in NIST SP 800\xc2\xb753A. In Novem~r 2009. IRWC performed the security lest and evuluation to\nverify compliance with its security policy gljidelines and to evaluate their itffecliveness against\nantic/pUled threats. in addition, IBIVC ensured that a comprehensive testing activity was identified to\ncover all appropriale security requirements. involved all nece.nmy individuals, and ultimately\nprovided the information needed 10 support the .~ecllri!y a.ue.wllen! alld authorization (formerly\ncertification and accredilUtion) process. However. IBWe had not expanded {he process {o include Ihe\n\n\n\n\n                                                  43 \n\n\n                          SENSITIVE BUT UNCLASSIFIED\n\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nperiodic re-performance ofl\'uinerability scans for its systems or a1ltomated rOlltine performance of\nsuch scans on its enterprise network method.\n\nReco mmend ation 10: "OIG recommends the Chief InfOnllation Officer develop and implement\npolicies and procedures to perfonn continuous monitoring to include automated routine vulnerability\nasscssments for all major systems and General Support Systcms (GSS). The results of such security\nassessments should be r,;,viewed and Plans of Action and ~\'lil,;,ston,;,s should be d,;,wlop,;,d for the\nimprovement of the security contro ls of major syst,;,ms and ass as required by National Instit ute of\nStandards and Teclmology Spccia[ Publication (NIST SP) 800-53, Rcvision 3, and NIST SP 800-\n53A.130:\'\n\nResponse/Action: Concur. \'111e IMD has acquired hard ware and software that will providc the\nnecessary too ls to establish an eflectiw contin uous monitoring prognun. 1llcse assets will help the\nIMD detcct and measure the effectiveness of securit y controls applied within t he ass. All acquired\nit em ~ arc in the proce~s of being confi gured and impIL   "lllented. The IMO has already install ed and\nconfigured a monitor in th,;, general ar,;,a of the IMD that automatically scrolls through the status\nscrcens of sevcral critiea[ syst.~ms and services in ordcr to kcep them monitored in real-time. A\nsoftware application called " Red Line" which wo rks with the enterprise email system has recently beL\'ll\nconfigured to email IMD staff if an y oftl},;, necessary services go down or ar,;, showing signs of fa ilure.\nAdditional equipment include an Intrusion Detection System (IDS), Network Admissions Control\n(NAC) and a Network Scanner which will all provide automated methods of delecting changes within\nour ass and notify the IMD of compromised PC\'s or those that lIlay show irregular activity. With the\ninstallation of new switches at HQ\'s and all field offices, thc IMD will gain port level visibility of all\nIT asseL~ to infonTI our personnel of any signs of confi guration changes or unau thori zed acti vity. n le\nII.,.ID has also recently installed a Solar Winds Orion network perfonnance monitor that has greatl y\nenhanced OUf ability to monitor network activity. CISCO works has also been installed which sends\nalerts to IMO staO- when t\'Crtai n network activity thresholds ha ve been exceeded or show signs of\npotentially dangerous activity.\n\nControl Weakness H: Contingency Planning - 18WC\'s Continuity o!Operations (COOP) does not\ncomply with NIST SF 800-34.24 IBIVC had not1lpdated its contingency plan and testing policies and\nprocedures. SpeCifically. the lBWC COOP for its GSS had not been updated to reflect sigmficant\nchanges to the environment and testing had nol been perji"Hmed.\n\nRecommendatioll t t: " 01(; Tt\'Commcnd~ that the International UoundaT)\' and Water Commissioll\nfinal ize the Contin uity of Operations site :md conduct testing for (~pcrational e ff~\'Ct i\\\'eness as required\nby National Institute of Standards and Technology Spceial Publication 800-34, Revision I."\n\nResponse/Action: Concur. \'111e IMO is in the process of updating the current COOP policy and\nprocedure as the infrast ructure at the COOP site in Las Cmccs, N;\\-I cont inues to be developed. Both\nthe Muhiprotocol Label Switching (MP I.S) and Digital Signal 3 ( ])S3) eonneL1.ivity of the COOP site\nha~ been tested and verified. A more adequate AC unit wa~ recently installed to accommodate the\nadditional equipment that will be installed soon. TIle site is currentl y being uscd as an active offsite\nstora ge location of all data backups (HQ\'s & Field Omce~). In addition an environmental monitoring\nsystem was installed that will immediately alert 11\\\xc2\xb711) personnel of any issues with temperature,\nmoisture or power outages at that location. \'llie VPN appliance required for remote connection to ollr\ncritical data has been installed and is being confi gured. This will allow for critical mi ssion functions to\ncontinue remotel y in the event of a disaster. The IMO is developing a continuity plan to be reviewed\n\n\n\n\n                                                     44 \n\n\n                            SENSITIVE BUT UNCLASSIFIED\n\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nby management to detennine what level of COOP the HvID will be required to maintain, taking into\nconsideration the fimUicial and maintenance requirements needed.\n\n\nRecommendation 12: "DIG recommends that the International Oolmdary and Water Commission\nidcntify an offsite backup for its three field offices in Nogales, Arizona; San Dicgo, California; and\nYuma, Arizona as required by Natio nal Institute of Standards fUld Technology Special Publication 800-\n34, Revision \\. "\n\nResvonse/ActlOn Resolved: The IMD has acquired the needed d iem to allow for the lilll ollSite\nbackup of all field offices. All data Irom these fie ld ollices are now copied on a dail y (diITerential) and\nweekly (full) basis to thc HQ SAN and thcn replicated to the offsitc Las Cmccs backup sitc. \xc2\xb7Ille\nIMD had nOI been able to conduct ofi"site backups for those three field otrices due to lack of a\ncompatible backup client with our existing Commvault backup solution and the Netware OS existing\non those scrvLTS.\n\nRecommend ation 13: DIG recommcnds that International Doundary and Water Commission cnsure\nthat its Infonnation Managctnent Division is involved in thc ovcr.;ight of infonnation tcchnology asse ts\npurchases and maintained by the comractor in support of operations at the waste treatment plmlt in Sml\nDicgo, California as required by National Institute of Standards and Technology Special Publication\n(NIST SP) S()()-53, Rcvision 3, NIST SP SOO-S2, and Offiec of t>.oIanagement and Budgct Memorandum\nM\xc2\xb7\\ \\ \xc2\xb733.\n\nRemonwlA ctlOn COllcur. The CIO is rcquiring modifications to thc contract in place, to ensure the\nliviD is notified in a timely manner, of all planned technology asset purchases, in order to provide the\nrequired lcvel of oversight of new IT purchases and cxisting assets maintained by the contractor. The\nrcview process will cncompass re view of all hardware and sofiwarc. An inventory of all cxisting\nhardware located at the contractor om i:1cility in San Diego, CA has been completed. IT Specialists\nfrom the ItlU) will conduct a hardware vulnerability assessmcnt of cxisting cquipmcnt at the South\nBay Intcrnational Waste Watcr Treatmcnt Piant (SBIWTP) as soon as possible. \'Illis will result in a\nbaseline from which to work from in order to bring their equipment into compliance with SP 800-82.\n\xc2\xb7Ine IMD will create specific PoA&l\\oI\'s to lIct as our tracking mechanism with thc (\'OlltractOr in order\nto mcasurc their progrcss towards n:solving those issues.\n\nRecommendatioll 14: OIG re<.\'Ommends that International Boundary and Water Commission (lBWC)\nen~ Uf(:\n      that its Infonnation ~hnagcment ])i vi ~io n rcviews and ap provcs softwarc prior to installati on\non mwc assets as required by National Institute of Standards and Technology Special Publication\n(NIST SP) SOO-53, Rcvision 3 and Officc of Managcment and Budgct Me morandum M\xc2\xb7II-33.\n\nResponse/Action: Concur. The CIO is requiri ng modifications to the contract in placc. to ensure the\n1M]) is notifi cd in a timely manncr of all planned software purchases in ordcr to provide the required\nlevel of over.;ight of new IT purchases and existing software maintained by the contractor. An\ninventory of all non\xc2\xb7standard software located wi thin the contractor om systems in San Diego. CA will\nbe conductcd. IT Specialists from thc 11\\01]) will conduct a sofi ware vulncrability assessment at thc\nSouth Bay International Waste Water Tn::atrnent Plant (SBIWTI\') a~ soon as possible. -nlis will result\nin a baselinc from which to work from in order to bring thcir software into compliancc. \xc2\xb7llie IMD will\ncreatc specific PoA&M\'s to act a~ our tmcking mcchanism with the contm L1.or in order to mcasurc\ntheir progress towards res()lving those issues.\n\n\n\n\n                                                    45 \n\n\n                           SENSITIVE BUT UNCLASSIFIED\n\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n Reeomm(\'nd ation 15: OIG recommends that the Chief InfOnllati()ll Oflicer ensure that all fimding for\n infonnat ion technology (IT) security investment and IT components is tracked as required by Office of\n l\\Ianagcmcnt and Budgct Memorandum M- II -)).\n\n Response/Action: Concur. TIle CIO will utilize and expand upon the existing budget account structure\n in place, which tracks all expenscs by Op.:-rating Allowance or Cost Ccnter for all labor and non-labor\n costs to track all IT costs. All fimding and costs lor infonnation technology (11) security investments\n and IT components will be tracked consistent with Oflice of ;"\'Ianagement and Budget Memorandum\n M- II -)). In addition, thc iDWC wi ll cnsufC that through an effcctive infonnation security program,\n this agency will effectively protect infonnation and systems as well as maintain the integrity,\n reliability, availability, and confidentiality of our infemll:ltion, consistent wi th Office of Mrumgement\n and Budget Mcmoranduml\\\'I-OO-07 and M-06-19.\n\n                        (b) (5)\n(b) (5)\n\n\n\n\n(b) (5)\n\n(b) (5)\n\n\n\n\n                                                   46 \n\n\n                           SENSITIVE BUT UNCLASSIFIED\n\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n Recommendation 19: OIG recomme nds the Intcmational Boundary and Water Commission (JBWC)\n implement a proecs~ to re view, update, and approve the Infonnation Management Di vision stafT access\n list to the server room at its otrice in EI Paso, Texas, as requ ired by National institute of Standards and\n Tcdmology Special Publication 800-53, Revision 3.\n\n Response/Action: Concur. TIle CIO lUld IMD recognizes the risks associated with an unmonitored\n entry way into the agcncy\'s main LAN room and will takc the ncccssary stcps to implemcllt an\n add itional proximity card reader to limit access to only authori led 11\\\xc2\xb7[]) personnel. In addition to the\n existing, posted access list of authorized personnel outside of the LAN room, a process to rev iew,\n update and approve the access list at least annuall y will he imp!emmled.\n(b) (5)\n\n\n\n\n                                                    47 \n\n\n                            SENSITIVE BUT UNCLASSIFIED\n\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n}{ecomm cntl>lti o n 2 1\' O IG re commends th e Im cm ationa l Bo un dary and Water Commi ssion (I I3 W C )\ndetem li ne the m os t cost effective protect ive m eas ures fo r fire prewntion and dam age to fil e se rvers as\nrequired by Nat io nal Insti tute of Standards an d Tec hnology Special Publication 800-53, Revisio n 3.\n\nRewonseiAction: Concur.          \' 11]() CIO wo rking w ith th e H" ID w il l iswe specific g uidml ce to the S an\n\nD iego mI d Yuma A rea Operat io ns t..\xc2\xb7lanagers, dctai ling acti ons required to rem o vc all unn ecessary\nitem s out of the server roo m s t o m inim ize or e lim inate th e potential of damage to equipment o r injury\nto personnel. "I11e new building to be occupi ed by iB WC personnel in YUlll a, AZ w ill have a se parate\nroom spccilieall y for I13WC \' s LAN equip m ent only, and w ill not be used for sto ra ge as is eUITi!ntly thi!\ncase . Reviewed pl:UlS fo r the L.AN roo m in that fa cilit y includes. smoki! and enviro nm ental detceto n; as\nwe ll as a fire extin g uis her. Ne w building plan\'! fo r Ihe San Diego fi eld office ha ve not b~n develo ped\nyet, but as an immediate action, we ha ve info m1 cd th e stafr there to remove all d uller ,md ot her\nflamma ble mat erial from the LAN room as we ll as requirin g th em to securely bolt down th e serve r\nrack to th e floor as soo n as possible . 111e Are a Operat ions Manager w ill al so be requi red to keep th e\nLAN roo m sec ured and o nly allow authorized pcn;onncl.\n\n\n\n\n                                                      48 \n\n\n                             SENSITIVE BUT UNCLASSIFIED\n\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                          Major Contributors to this Report\n\nMr. Jerry Rainwaters, Division Director\t   Information Technology Division,\n                                           Office of Audits\n\nMs. Dayo Onafowokan, Auditor-in-Charge\t Information Technology Division,\n                                        Office of Audits\n\n\n\n\n                                             49\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n                 of Federal programs\n\n            and resources hurts everyone.\n\n\n\n\n         Call the Office of Inspector General\n\n                      HOTLINE\n\n                     202/647-3320\n\n                  or 1-800-409-9926\n\n        to report illegal or wasteful activities.\n\n\n\n               You may also write to\n\n             Office of Inspector General\n\n              U.S. Department of State\n\n               Post Office Box 9778\n\n                Arlington, VA 22219\n\n\n       Please visit our Web site at oig.state.gov\n\n\n           Cables to the Inspector General\n\n          should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n\n              to ensure confidentiality.\n\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\n\x0c'